Whole Disk Encryption

1. The Whole Disk Encryption Service

Members of the University often have highly sensitive and confidential data which is stored, accessed, and manipulated on their devices (including desktops, laptops, mobile devices, and USB sticks).

Data which the University deems to be confidential can take many forms. If you access your University email using a client on your computer (e.g. Outlook), for example, a copy of your emails is stored on your hard disk drive to allow access when your computer is offline. This is confidential data, and should be encrypted.

It is the University's policy to ensure that data on portable devices are appropriately protected from unauthorised access. If data is going to be taken out of the office, it is essential that this data is inaccessible to unauthorised users, such as might occur following loss or theft of a device.

Whole Disk Encryption (WDE) is a method of achieving this. WDE encrypts the entire contents of a hard disk drive and is accessible by using a passphrase. This passphrase is entered when the computer is switched on, and without it the data on the hard disk drive is indecipherable.

2. Deciding whether encryption is needed

Your departmental or college Information Security Policy should determine whether your laptop needs to be encrypted. In general, if your laptop is likely to hold confidential data (e.g. in documents or via email) or you are unsure then you should probably encrypt your laptop using either the University service or using other available solutions like Bitlocker (Windows), Filevault (OSX), or Truecrypt. Confidential data is defined in the information security policy. but some examples of data that are likely to be confidential are: student or staff records, unpublished research data, reserved committee papers and minutes, and information collected under a data protection statement. If you are storing or processing substantial volumes of personal data then you should consider it confidential and encrypt.

To help your department decide whether or not encryption is needed we have also produced a flow chart.

3. How it works

Whole Disk Encryption works by encrypting all of the data on your hard disk drive with a secret key. This key can only be accessed with a passphrase chosen by you. When your computer is started and the correct passphrase is entered, the key can be used to unlock your computer's hard disk drive and start your computer in the usual way thereafter.

Unlocking your data as you access it does not noticeably slow down your computer. It also does not affect any of the programs on your computer or the way that they function.

Figure 1. When your computer is turned on you will need to type in the passphrase

4. How to get your laptop encrypted

The WDE service is designed to be delivered and supported by local IT Support Staff once they have been trained and accredited by IT Services.

You first step it to get authorised to use the service by your divisional authoriser. You can make the approach yourself or you can ask your IT Staff to do that for you. The divisional authorisers are:

Once you are authorised your chosen accredited IT Support person can then enrol you, install the software and set up the encryoption for you.

5. Travelling with your encrypted laptop

Many countries have restrictions on the import and export of encryption technology and software. It is important to be aware of these restrictions before travelling. There are often personal-use exemptions to these controls, meaning that travelling to these countries with an encrypted laptop should not cause too many problems.

Once your hard disk drive has been encrypted, it cannot be decrypted (so that it no longer requires a passphrase and can be taken into countries with import restrictions on encryption technology) without contacting your local IT Support Staff, and this is not a quick process.

If you are planning to travel with your encrypted laptop, we recommend reading this Jisc Community blog which also contains links to recommendations from the UK Foreign Office and US State Department.

6. Support

To encrypt your laptop, or if you forget your passphrase, you should get in touch with your local IT Support Staff.

Local IT Support Staff are able to unlock your hard disk drive using a Whole Disk Recovery Token (WDRT). Once this has been done, you can change the passphrase. For further help, see our information on passphrase recovery.

7. More about Whole Disk Encryption

Whole Disk Encryption uses a piece of software that is installed on your computer to encrypt the contents of your hard disk drive with a passphrase that you select. Once you have installed the software and input your passphrase, the encryption process will begin. You will still be able to use your computer during the encryption process.

This is an intensive process, and so only occurs when your computer is connected to the mains. If you need to unplug your laptop during encryption, the process will pause, and resume when the mains supply is restored. It is also safe to turn off your computer, and the process will resume the next time it is switched on.

When your computer is started, it will ask for your passphrase immediately. It will also offer you the choice to enter your Windows password instead, however this will not work. When you type your passphrase, it will not be displayed, although the cursor will move to show you the keystrokes are being recognised.

Without this passphrase, the contents of your computer are unreadable. For this reason, it is important that the passphrase you choose is strong. The software used to encrypt the hard drive will not accept a passphrase that is too weak. See our advice on how to choose a strong password.

8. Frequently Asked Questions

What Protection does WDE offer?

WDE protects data on an encrypted device once it is turned off. It can therefore protect against disclosure of valuable information in the event of a device being lost or stolen.

Is it just for laptops?

No, but laptops are usually the focus because of they are carried around with us. WDE can be used on desktop devices and even servers but is only recommended where physical security is considered insufficient or the data is particularly sensitive as to warrant the extra level of protection. If you are encrypting desktops and servers in particular you need to make sure you have good backups and recovery plans!

What if I forget my passphrase?

Local IT Support Staff are able to unlock your hard disk drive using a Whole Disk Recovery Token (WDRT). For further help, see our information on passphrase recovery.

If I move my data off machine will it still be encrypted (e.g. on a USB device or in an email)?

No - effectively this service encrypts the container not the data. So when the device is powered down the data is inaccessible but if you move the data to another device like a USB stick then the data won't be encrypted

So can I use the service to encrypt USB devices?

Yes but bear in mind that to access the USB device you will need a machine with the client software installed and of course the passphrase. If you need to use encrypted USB devices you should consider hardware encrypted devices instead.

What about other mobile devices like my iPad?

The University service is not available for other mobile devices as there is no client software available for them. However most modern devices have a level of encryption built in it is just a case of configuring the device correctly. More information on configuring mobile devices securely is provided in the mobile devices section of the information security pages.

What other solutions exist?

There are many other solutions, some which are products in their own right and some which come as part of the operating system. For more details on some of these, and for instructions on how to set up encryption using those products check out Filevault for OSX and Bitlocker for Windows. However, IT Services are not resourced to provide support for alternative WDE technologies.

Why should I use the central WDE service instead of other solutions?

Other solutions such as Filevault for OSX and Bitlocker offer similar levels of security to the central WDE service but the WDE service helps to manage some of the risks introduced by using encryption. Features of the service include:

centralised management and policy enforcement

enforcement of passphrase quality

easy passphase and machine recovery

audit trails of encryption and decryption

FIPS 140-2 validated, CAPS approved, DIPCOG approved

You should also check your local information security policy as it might be your department's policy to use the central service.

How do I choose a good passphrase

The security of WDE depends entirely on choosing a strong passphrase and NEVER sharing it with anyone (including PAs, IT support staff etc.). The passphrase requirements for the WDE service are therefore quite stringent in terms of the "quality" of the passphrase required. However there are no requirements in terms of complexity (i.e. different character sets, minimum/maximum length etc.). One way to come up with a passphrase that will be strong enough and easy to remember is to use long but memorable phrases. To find out more and to understand why "thisisareallygoodpassword" fits the bill then see our advice on choosing good passwords and passphrases. PS - don't choose "thisisareallygoodpassword" !

Can I share my password with other users of my machine?

NO! Absolutely not. Never. Not with PAs, not with IT support staff, not with anyone. The security of the encryption depends entirely on the security of the passphrase.